oleaut32: Cope with invalid icon data in OLEPictureImpl_LoadIcon
Bruno Jesus
00cpxxx at gmail.com
Tue Sep 29 09:15:45 CDT 2015
Signed-off-by: Bruno Jesus <00cpxxx at gmail.com>
While testing bug [1] I noticed that invalid data is sent to
OLEPictureImpl_LoadIcon leading to a crash. This patch is meant to
resist these kind of issues and makes the game goes on a little
further until other unrelated crash.
Tried in wine-devel as RFC but did not get reply, so forwarding to wine-patches.
[1] https://bugs.winehq.org/show_bug.cgi?id=21012
-------------- next part --------------
diff --git a/dlls/oleaut32/olepicture.c b/dlls/oleaut32/olepicture.c
index 5d0d801..5ce83e0 100644
--- a/dlls/oleaut32/olepicture.c
+++ b/dlls/oleaut32/olepicture.c
@@ -1210,6 +1210,8 @@ static HRESULT OLEPictureImpl_LoadIcon(OLEPictureImpl *This, BYTE *xbuf, ULONG x
HDC hdcRef;
int i;
+ TRACE("(this %p, xbuf %p, xread %u)\n", This, xbuf, xread);
+
/*
FIXME("icon.idReserved=%d\n",cifd->idReserved);
FIXME("icon.idType=%d\n",cifd->idType);
@@ -1226,6 +1228,13 @@ static HRESULT OLEPictureImpl_LoadIcon(OLEPictureImpl *This, BYTE *xbuf, ULONG x
FIXME("[%d] dwDIBOffset %d\n",i,cifd->idEntries[i].dwDIBOffset);
}
*/
+
+ /* Need at least one icon to do something. */
+ if (!cifd->idCount)
+ {
+ ERR("Invalid icon count of zero.\n");
+ return E_FAIL;
+ }
i=0;
/* If we have more than one icon, try to find the best.
* this currently means '32 pixel wide'.
@@ -1237,6 +1246,12 @@ static HRESULT OLEPictureImpl_LoadIcon(OLEPictureImpl *This, BYTE *xbuf, ULONG x
}
if (i==cifd->idCount) i=0;
}
+ if (xread < cifd->idEntries[i].dwDIBOffset + cifd->idEntries[i].dwDIBSize)
+ {
+ ERR("Icon data address %u is over %u bytes available.\n",
+ cifd->idEntries[i].dwDIBOffset + cifd->idEntries[i].dwDIBSize, xread);
+ return E_FAIL;
+ }
if (cifd->idType == 2)
{
LPBYTE buf = HeapAlloc(GetProcessHeap(), 0, cifd->idEntries[i].dwDIBSize + 4);
More information about the wine-patches
mailing list